33 comments

[ 2.5 ms ] story [ 60.3 ms ] thread
> To present a passkey, you have to use a password manager.

This is what makes passkeys nonstarters for me.

that isn't true at all.

i regularly use a yubikey as a passkey, and it's entirely orthogonal to any password manager i use. it happily just works on firefox on both mac and linux.

to use a passkey, you need a place to store the passkey. that can be a hardware token, a tpm, or a password manager.

Yubikeys are an even worse solution, in my opinion. They dramatically increase the amount of hassle and maintenance required because you have to have multiples of them to ensure that you won't get locked out.

Also, it's not always convenient or possible to plug something into a machine you're using.

> to use a passkey, you need a place to store the passkey.

Yes, and any place that requires me to use particular piece of software, machine, or device is a real friction point for me.

Are you not already using password manager for all of your passwords?

It took forever to make any movement towards getting people to stop using the same password every where. Now we're telling people passwords aren't secure even with using a password manager and they should use passkeys. So now we're saying that using the same software that we spent so much time suggesting to use is not good enough. Instead, now you want them to use a dedicated piece of hardware that needs to never be lost, but people lose their phones frequently.

It's amazing to me how the majority of readers here absolutely cannot put themself in the place of non-computer nerds that spend 0% of their day thinking about code/security or anything other than what the Kardashiens are doing or their favorite influencer or whatever other nonsense that is everything and not nonsense to them. It's this kind of thinking that put us in this position that the people building the thing can't think about how the users will actually use it

It's not true at all.

Not many apps support passkeys, but for the ones that do, it's a godsend. No longer do I have to worry about whether my password is stored in Google, or Firefox, or if it's up to date, or what happens if I get hacked. I just plug my little key into the computer and tap it.

It's like having a physical key instead of having your password written in a page of an obscure book in the library. Probably safe, but someone dedicated can find it. A physical key can only be taken if my house gets robbed.

How do you plan to sync your passkey between devices?

Another feature of the password manager.

The fact that you can't actually see the passkey is absurd. I understand it's a "feature" prevent phishing — victims have a lot less to share — but it constrains more sophisticated storage and use of passwords.
Except you can store the passwords on a usb key / remote over bluetooth, and then also keep them secret from the potentially compromised host.
A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login, but the site/app has no way of knowing/proving whether that happened; they just get the password.

Thought sites can request hardware attested passkeys? In this case usb keyfob, or passkeys instanced from a secure enclave, etc.?

Passkeys are the easiest way to lose access to your account.
They aren't passwords, they are just glorified private / public keys that are hard to manage due to all kind of attached requirements. But it's somewhat better now with tools like keepassxc.
The article looks like either author knows something I don't (but fails to link any source on their claims), or is a bunch of misinformation.

> Passkeys are randomly generated passwords that are required to be managed by a password manager.

This is not correct. Passkeys are keypairs, and unlike shared secrets (like passwords) they do not require private key material to be ever revealed to the remote system. That's the whole point of Webauthn - so servers never ever possibly see any secret credentials.

Otherwise - yes - they're random-looking blobs of data that is handled by a special software (which can be a password manager, but is not limited to password managers - e.g. an HSM like Yubikey can be used without any password management software), but that's where the similarity ends.

> Passkeys can be public/private keypairs, or they can just be secret passwords.

To best of my awareness, this is incorrect. I'm really curious where this idea comes from. In my understanding of the Webauthn spec it's all about public-key cryptography, attestations always use PublicKeyCredential. I'm not aware about any way to use a static token instead. Maybe it's possible to bastardize the standard somehow, but I doubt it's a real concern.

> Password managers provide no way for you to copy and paste your passkeys.

This is only partially true. Nothing in the spec, all up to implementers. At least KeypassXC sure provides a way to access your data: https://github.com/keepassxreboot/keepassxc/issues/10407. Other software behavior may vary.

> A passkey manager is morally required to do an extra factor of authentication [...] but the site/app has no way of knowing/proving whether that happened

This is partially correct. There is attestation in Webauthn, but to best of my awareness it's something frowned upon, so IMHO it's best if we all pretend it doesn't exist. If attestation is not required (which is AFAIK how most Webauthn-supporting services operate), it's up to user to decide on how they secure their system. And that's a good thing (YMMV), because it allows end user to have freedom of choice.

The design of passkeys is pretty solidly based around the idea that users are the weakest link the system and need to be protected from themselves. Given how criminally insecure passwords and push/code based MFA are in the face of user incompetence I have a hard time believing that WebAuthn is some grand plot by Big Tech to lock people into their walled gardens.

I think people on HN overestimate the security literacy of the average computer user in a personal/corporate setting. If a sophisticated attacker wanted to target an organiztion with passwords/push auth, it'd be trivial to get some subset of members to copy-paste passwords from managers and accept prompts. I think far more likely than lock-in is that FIDO members genuinely want to make their customers more secure, something that passkeys very much do accomplish for the average user.

That being said, I'm not rushing to enable passkeys on every site. If you already use a good password that enforces origin binding (the key strength of WebAuthn) and you extend that security perimeter through good OpSec (i.e., being careful when copy-pasting passwords), you're not getting much benefit.

> If a sophisticated attacker wanted to target an organiztion with passwords/push auth,

... it can target the Remote Code Executor: the web browser. /s

I don’t get the sentiment of the article.

The whole point about passkeys is to replicate the exact UX of passwords (registration, reset…) but offer protection against phishing, by using public key crypto.

If you want a different UX, use a hardware security key. But these failed to reach consumer adoption.

And of course the FIDO2 standard didn’t specify (yet) a way to move passkeys around, so each implementation chose their own way to do vendor lock in. But this will be fixed in a few iterations.

> Passkeys make it harder to switch password managers, because you can’t copy and paste them

Does it not depend on the manager? Doesn't keepass manager allow open access to your passkey so you could also copy and paste it?

My understanding of Passkeys used to be that they were hardware-bound, so stored in the system’s TPM, Secure Enclave, whatever. Somewhere they can’t be retrieved. As soon as I realised that wasn’t the case I lost all interest in Passkeys.

Why would I bother when it’s basically just a password? Some services I’ve seen dangerously accept it as a form of 2FA, when it’s anything but.

One key difference is that it's not anything like a password.

With a password, you send your password to the server and hope it's not intercepted or stored in plain text.

Passkeys are more equivalent to the server sending you some random data and asking you to sign that data plus the server url with your private key. Then the server can check it against the public key it has to verify you possess the correct private key. It's both phishing and replay resistant.

  To present a passkey, you have to use a password manager. This provides some anti-phishing protection.
Passkeys are locked to a domain, enforced by the browser. This completely breaks phishing. That's why we're doing this song and dance in the first place! You can't read a passkey over the phone or use it on the wrong website.

The lock-in issue is more complex:

- I write a VS Code extension for plain text passkey storage for simplicity. Do you allow servers to reject this? What should they reject? To oversimplify, the corporate folks argue for more control, the open source folks for less.

- There is an exchange protocol in the works for data migration: https://fidoalliance.org/specifications-credential-exchange-...

Having to centralise your, essentially login process, seems like an awful idea. Similarly to a paper ballot system, the current 'attack surface' of the huge array of password managers, text files, notebooks, etc renders compromising a specific someone's entire digital life not scalable really not so much a widespread thing.

When every service is using a handful of central login handlers, I can imagine oppressive regimes, malicious entities, etc will have a field day trivially getting access to everything they've done and said.

I'm not really a conspiracy theorist, but this definitely feels like it could go bad.

The article already defeats itself in the title: password managers are a must-have. One needs to choose a good password manager, but that's already true.
This article is pretty much all wrong.
It's telling that the "exchange protocol" was only begun to be developed after the main spec was written, and apparently as a response to pushback from the community. I can't imagine designing something like that and not having this be a core part of the feature set from day one. It's not even necessarily about switching vendors. When you first learn about passkeys, something as basic as what you need to do when you get a new computer is unclear. "The passwords are yours, we're just giving them a bodyguard" should have been the message from day one, but it wasn't of course, because that wasn't what was actually being pitched.

I want to point out a subtle part of this critique: I don't necessarily think that vendor lock-in or anything like that was an intentional goal (I make no claim either way there), but rather what is worrying to me is that the experiences of the designers of this technology seem to be so different from ours that this feature wasn't an obvious v1 need, and as such makes me worried that the "solution" will also not be representative of what we actually need (perhaps it will be overly complicated and focus on the large vendors and not on being able to extract them easily yourself for example). This all sort of makes sense though, given that it seems to have had significant influence from humongous corporations like Apple and Google, where the idea of moving away sincerely confuses them.

All of the "FIDO Alliance"[1] copy has a distinct tone of them seeing their job as chaperoning users like kids who don't know any better and are in constant danger of hurting themselves on the playground. Even the end user benefits read like business benefits on that site, with such gems as "Higher sign-in success rates". That made the list for convincing users? It's as if they've grown exasperated in trying to "teach" people about phishing, it feels like the obfuscation is a feature of passkeys, a long awaited release from the burden of learning about passwords. Which, to be clear, would possibly be great, if it handled the things people care about. But this obfuscation goes beyond the "implementation" and into the "usage". It goes from "it's simple to use" to "don't worry your pretty little head over that". I've found the whole thing rather bizarre, especially since many people on the browser side seem either oblivious to pushback, or annoyed. There is a unique "just trust us" feel to the this feature.

A brief note: This isn't all that unexpected for completely non-nefarious reasons. I've spoken before about a common pattern I've witnessed where "platform owners" (where "owner" can be anything from a "company" to a "developer") usually start off empathizing with the user, but the longer they work on the platform, the more contempt they develop for the user and the more empathy they develop for "the platform". I've seen it everywhere from language and compiler developers (where the more senior they are, the more the features they suggest tend to make the "compiler's life" easier, such as complex features that enable performance boosts, instead of trying to figure out how to make the code people write go faster; to web engine developers, who over time suggest lower and lower level features (such as WebGPU or WASM) vs. "going big" on high level semantic features, etc.). This makes sense if you've ever worked in these environments, the nature of bug fixing and reporting is such that you get an incredibly lopsided biased view of the usage of the platform: you see all the worst usage of it. Day after day, it can demoralize and lead you to think that what users need is in fact to have less say in what goes on, your trust in their ability to learn or improve d...

Passkeys seem like alpha software that somehow got shipped by mistake. Wake me up in 5 years when/if they are actually safely usable (not just securely usable). Until then I advise my family members to stay away from them and I think everyone else should too.
The difference is that I don't know my passkey by heart and can't give it away involuntarily. And the design of passkeys is way more robust than plain 2FA.
> Passkeys can be public/private keypairs, or they can just be secret passwords. (WebAuthn passkeys were designed by committee, so there’s always more than one way to do it.)

I'm surprised by this. Last time I checked, a few years ago, I couldn't create a passkey in Chrome without using either the Chrome developer tools to create an emulated passkey, or an actual hardware device. Why would I use a TPM to store a shared secret? Has this changed, or did I miss something?

> Instead, password managers recommend that sites/apps allow each user to have multiple passkeys. Sites/apps may or may not actually allow that, but, for now, that’s the only way to be sure a given user can login with both Google’s password manager and Apple’s password manager: give each password manager its own passkey for each site.

Having a simple procedure for rotating/replacing keys would probably be useful for the "switch password manager/TPM" case. I.e. a protocol between two password managers and a browser to do batch authorization of a new key. The migration story is one reason I don't use passkeys.

> Why would I use a TPM to store a shared secret?

There is no shared secret. A passkey is a public/private key pair.

Fully admitting, I'm still learning about this topic. Also admitting that my current impression of the whole passkey system looks like a massively user-hostile and lock-in prone technology. But I have some questions to better understand it:

- Suppose I'm a website owner and I handle authentication of my users with passkeys. Now for whatever reason, I want/have to move my site to a different domain. How would I "move" the passkeys, as they'd still be tied to the old domain?

- Passkeys on Yubikeys or other dedicated hardware token sounds easy enough and mostly reasonable. (I could buy a bunch if yubikeys, copy the keys onto each of then and keep some if them as a backup in the drawer. The security properties of those seem a lot like regular keys or chip cards) Passkeys on phones or on cloud accounts much less so, but this is the main method that is promoted and expected to be used by "regular" users. But what happens if I have my passkeys stored in a Google account or whatever and then Google decides to ban me? Do I permanently lose access not just to all Google services but also to all services that had a passkey stored?

- I have a set of passkeys on my phone and the phone gets stolen. Do I instantly lose access to all my services? Probably not, because the keys are still in the cloud, but then how do I authenticate to Google from a new device?

I think the summary of that is "passkeys only solve the problems the designers cared to solve, and I care about some others but not those".

I heard at a conference that users of one large freemail service store their passwords in an average of seven different files, so that provides an average of eight different possible attack vectors to get hold of a user's password — seven plus social engineering.